[email protected]: News & Resources

By and for Technology-minded folks at Brown

DCC Meeting Notes – September 13th, 2017

without comments

IT Auditing at Brown

IT Audit at Brown – Presentation

Presentation by: Beltus Ikechukwu – IT Auditor

Agenda

  • Objective
    • Risk Management
      • Solution oriented approach – the three lines of defense
        • 1st line – Management Controls, Internal Control Measures (Example: Endpoint engineering/DCC’s)
        • 2nd line – Financial control, security, risk management, quality, inspection, compliance (Example: Mark Dieterich)
        • 3rd line – Internal Audit
    • Internal audit at brown
      • Independent, objective(does it make sense), assurance and consultative activity designed to add value to the organization.
      • Mission at Brown – Help the Corporation protect University resources and enhance the achievement of enterprise-wide strategies by evaluating and monitoring risks, processes and policies significant to the University’s mission.
      • Vision – Excel as value-added service that is committed to your goals.
      • Authority – Has free, full and unrestricted access as necessary to all and any University information, activities, records, property, etc
      • Process- Risk based approach, Project Planning and Risk Assessment, Test Work, Reporting-Draft and Final, Follow-up
    • It audit at brown
      • Focused on risks that impact
        • Organizational Units – Centralized and Decentralized IT Processes,
        • Infrastructure – Networking, Compute, Storage.
      • A simple control Model (SANS 20) -See slide show page 15

 

  • Potential Risk – Insider threat, Point of Sale intrusions, Cyber Espionage/phishing/ransom ware

 

  • FAQ
    • How is my department selected for an Audit?
      • Risk assessment or your request
    • How long does an audit typically take?
      • Depends on size, complexity, and strength of internal controls
    • How much of my time will the audit require?
      • We are considerate
    • How can I prepare for an audit?
      • Have key documents ready.
    • How confidential will the information I provide to you and my audit report be?
      • All info received and managed by the Office of Internal Audit Services is held at the appropriate level of confidentiality.

 

  • Common Findings
    • Lack of formalized policies and procedures
    • Inappropriate access management
    • Segregation of duties
    • Mis-configurations
    • Change management
    • Data Security

 

Questions

  • Most of us have our first encounter with IT Audit due to an incident, what is the threshold for when an IT audit will take place
    • Answer – Auditing can take place during an incident to bring in an outside perspective like another set of eyes. It can be used as a time to help solve the issue while knowing the risk has been lowered or removed. There is no specific threshold.

Chris Grossi – Announcements

  • Mary Salvas has announced retirement
    • Licensing issue’s will go through Chris Grossi
  • Remotes Apps have been rolled out to everyone
    • Remoteapp.brown.edu
  • PPrint upgrades were overall successful
    • Over 700 queue’s
  • Looking for interest in Adobe Stock software
    • The software provides a library of stock images.
  • Keyserver – Users should be seeing messages notifying them to upgrade to newer non-keyed software.
  • Google Drive app – being deprecated

 

Link to audio : http://www.brown.edu/cis/support/dcc/audio/audioarchive/DCC%20mtg%209-13-17.mp3

Written by Jason T Jacques

September 18th, 2017 at 9:35 am

Posted in Uncategorized